US starts to tackle hacking curse

By Joseph Menn

A simple click of the mouse can open a door to a criminal hacker who – unknown to the computer owner – can then remotely control a machine, making it divulge bank account numbers, passwords and corporate secrets. A network of such remote-controlled machines – known as a botnet – can launch attacks on websites for political or commercial reasons.

This year, activist hackers used botnets to temporarily take websites of the CIA and the UK’s Serious Organised Crime Agency offline. Botnets have previously been used to silence official and media sites and sow confusion during the 2008 armed conflict between Russia and Georgia.

IN Technology

The US, by some estimates, has more computers infected with botnet programs, than any other country. But as different parts of the computing industry have blamed one another for the spread of botnets, the US has only now taken its first steps to tackle the problem.

Late last month, the commerce and homeland security departments asked for public comments on whether they should encourage internet service providers – which know the condition of their customers’ machines – to voluntarily warn their subscribers if they appear to have been compromised.

As the US has lagged, other countries have moved ahead. Since 2007, most internet service providers in Japan have notified consumers if their machines appear to be part of a botnet and offered government-funded tools to clean the computers. This voluntary programme, which costs only $5m annually, has reduced the rate of botnet infection from about 2.5 per cent of personal computers to just 0.6 per cent.

In Australia, the Internet Industry Association established a voluntary code of conduct for service providers that came into effect in January. Net access providers serving more than 90 per cent of the connected population have pledged to notify customers about suspicious activity, help them stop it, and if need be quarantine them so that the computers cannot browse the wider web until they have been repaired.

“The Australian experiment has been stunningly successful,” said Michael Barrett, chief information security officer for PayPal. “We will see more countries adopting this model.”

In the US, by contrast, only a few major service providers have so far alerted consumers that they may be unwitting participants in a global crime ring or clandestine political fight.

One reason is helpdesk costs, though regulators say a jointly run support centre may resolve this. Another is the fear that customers could blame the provider and move to another carrier. “They are not in the security business, they are in the business business,” said Steve Santorelli, of TeamCymru, an internet security research company. “If someone comes to a service provider and says ‘This will make the world a better place, but it could cost you 20 per cent of your customers’, they are going to say something very rude.”